Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: about veriexec


First, let me apologize for forgetting to attach the patch. It's
attached to this mail. :)

On Mon, Dec 15, 2008 at 2:41 AM, Cem Kayali 
<> wrote:

> Hi,
> - Machine has already been up and I enabled veriexec by '/etc/rc.d/veriexec
> start' just after inserting veriexec=yes into rc.conf
> - I edited veriexec sysctl parameters and they are as:
>   kern.veriexec.verbose = 1
>   kern.veriexec.strict = 2
>   kern.veriexec.algorithms = RMD160 SHA256 SHA384 SHA512 SHA1 MD5
> - I did following operations:
>   localhost# cd /usr/pkg/bin
>   localhost# cp kasteroids
>   localhost# rm -rf kasteroids
>   localhost# cp katomic kasteroids
> - I tried to run ./kasteroids and it launched (it actually started katomic!)
> - Signature file:
>   localhost# grep kasteroids /etc/signatures
>   /usr/pkg/bin/kasteroids SHA512 3ca3929b49cff9eafdb2d644..................
> - Original checksum:
>   localhost# cksum -a sha512 /usr/pkg/bin/kasteroids
>   SHA512 (/usr/pkg/bin/kasteroids) = e2073b3f71885530cab84865f..............
> - /var/log/messages does not contain any error message.
> I really surprised nobody untill now has noticed the problem -if there is a
> problem really. This is 4.99.7X amd64 machine. Maybe problem is within 64
> bit systems.

My tests are done on amd64 as well, so that is not the issue.

Perhaps your signatures file isn't loaded properly? can you try running

    veriexecctl query /usr/pkg/bin/kasteroids

and show me the output? if it will indicate the fingerprint
mismatches, and you are able to overwrite/delete/run it, then we have
a problem!



Attachment: kern_verifiedexec.c.diff
Description: Binary data

Home | Main Index | Thread Index | Old Index